12-16-2008 07:54 AM - edited 03-11-2019 07:26 AM
Hi,
I have a Cisco ASA 5520 and wonder if this is possible.
We have a server (172.24.10.13) on a VLAN off our 5520 that needs to connect to a SQL server (192.168.200.5) on the inside. No problem there, but I they want the VLAN server to user port 9999 instead of 1433 for SQL but want the inside SQL server to "see" the 9999 port traffic as 1433, possible?
I thought there might be a way to translate traffic sent as TCP 9999 to TCP 1433 before it his 192.168.200.5.
12-16-2008 10:34 AM
Sure, it's call a port translation. Below is an example. Here we translate port 8080 on a public IP to port 80 on the inside web server.
static (inside,outside) tcp 69.222.73.5 8080 192.168.1.20 80 netmask 255.255.255.255
Hope that helps.
12-16-2008 11:51 AM
Thanks, I guess I will just need to add an access list for this aswell? Like an allow any to 69.222.73.5 to 8080?
12-16-2008 11:53 AM
Yep, you got it.
12-16-2008 12:59 PM
hmm, still having no luck.
I added:
static (DMZ_Web_Servers,inside) tcp 192.168.200.5 1433 172.24.10.13 9877 netmask 255.255.255.255
then added an access list to allow 172.24.10.13 to 192.168.200.5 on port 9877
I then tried to telnet to "192.168.200.5 9877" and it failed.
12-16-2008 01:06 PM
In your NAT statement your DMZ client is looking to 172.24.10.13 on port 9877 for SQL access. Is that correct? If so can you check your log when it fails?
12-16-2008 01:21 PM
My DMZ client is 172.24.10.13 and needs to use TCP 9877 to the inside server 192.168.200.5 and PAT to TCP 1433
12-16-2008 01:39 PM
Do you NAT between your DMZ or route?
12-16-2008 01:43 PM
I NAT
12-16-2008 01:50 PM
You'll need a new NAT address that translates to the inside. Something like this-
static (DMZ_Web_Servers,inside) tcp [new NAT IP] 9877 192.168.200.5 1433 netmask 255.255.255.255
12-16-2008 01:54 PM
I see, so I can't use the IP of teh DMZ server I need to use this PAT and only server can use this?
12-16-2008 01:56 PM
Yes, but anyone can use it, you'll restrict that with the ACL.
12-16-2008 02:00 PM
So I can use a random IP address from from the DMZ sunbet that is not in use?
12-16-2008 02:02 PM
Most people setup a special subnet just for NAT, but if you didn't then grabbing a local IP should work. However your current NAT's are setup.
12-16-2008 02:19 PM
Hi, just got curious, but shouldn't you have your static and acl statements like this?
static (inside, DMZ_Web_Servers) tcp 192.168.200.5 9877 192.168.200.5 1433 netmask 255.255.255.255
then add acl to (DMZ-int in) permit tcp host 172.24.10.13 host 192.168.200.5 eq 9877
This is just what I understood from the 1st post...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: